net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_set...

commit 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 upstream.

ctx->crypto_send.info is not protected by lock_sock in
do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf()
and error paths of do_tls_setsockopt_conf() may lead to a use-after-free
or null-deref.

More discussion:  https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/

Fixes: c2c217d10788 ("tls: kernel TLS support")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 7aba4ee77aba30a333425ff700a5f90ec1c41ae8..cb51a2f46b11d9b25fea20786b729736fbc9c710 100644 (file)
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -371,13 +371,11 @@ static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
                        rc = -EINVAL;
                        goto out;
                }
-               lock_sock(sk);
                memcpy(crypto_info_aes_gcm_128->iv,
                       ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
                       TLS_CIPHER_AES_GCM_128_IV_SIZE);
                memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq,
                       TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
-               release_sock(sk);
                if (copy_to_user(optval,
                                 crypto_info_aes_gcm_128,
                                 sizeof(*crypto_info_aes_gcm_128)))
@@ -395,13 +393,11 @@ static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
                        rc = -EINVAL;
                        goto out;
                }
-               lock_sock(sk);
                memcpy(crypto_info_aes_gcm_256->iv,
                       ctx->tx.iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
                       TLS_CIPHER_AES_GCM_256_IV_SIZE);
                memcpy(crypto_info_aes_gcm_256->rec_seq, ctx->tx.rec_seq,
                       TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
-               release_sock(sk);
                if (copy_to_user(optval,
                                 crypto_info_aes_gcm_256,
                                 sizeof(*crypto_info_aes_gcm_256)))
@@ -421,6 +417,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
 {
        int rc = 0;
 
+       lock_sock(sk);
+
        switch (optname) {
        case TLS_TX:
                rc = do_tls_getsockopt_tx(sk, optval, optlen);
@@ -429,6 +427,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
                rc = -ENOPROTOOPT;
                break;
        }
+
+       release_sock(sk);
+
        return rc;
 }